Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

spyware problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

spyware problem

Unread postby helen.bicari » March 24th, 2008, 5:42 am

hi, i have a problem with my computer. it is running fine, not being slow or anything, but often im being redirected to uk.celldrado.com and another websites like life insuarance. also sometimes warning like your computer is at risk, downloald antispyware comes up. if i click on cross to cancel it, it still wants open and run this file. and then opens web site where i can download that antispyware.i run 3x antispyware ad-aware, spybot-search&destroy and superantispyware, also avast antivirus and ouldnt find anything. i hijacked my computer and this is the result:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=E4064
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://autoreg.autoregister.net/cgi/cmactivation
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
i analyzed it but didnt seem to find anything wrong. can u please help me somebody, as i had spyware before and was very hard to get rid of. i do online banking so im a bit worried. thanks
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am
Advertisement
Register to Remove

Re: spyware problem

Unread postby chryssi2001 » March 27th, 2008, 1:37 pm

Hello helen.bicari,

I will be assisting you with your malware issues.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
-------------------------------------------------------
Please run HijackThis again and post back a new log. The top part was cut-off.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: spyware problem

Unread postby helen.bicari » March 27th, 2008, 4:06 pm

hi, thanks for reply. here is the new log. i cut that top myself, didnt think it was important.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:18, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=E4064
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://autoreg.autoregister.net/cgi/cmactivation
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9468 bytes
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am

Re: spyware problem

Unread postby chryssi2001 » March 28th, 2008, 2:17 am

Hello helen,

Thanks for the new HijackThis log. We need the top part too. ;)

Your HijackThis log is clean except a few minor things which we'll deal later.
Let's make a deeper check to see what's on your system.
----------------------------------------------
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
----------------------------------------------
Navilog1 for Windows 2000/XP

Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip
  • Extract its contents to the desktop.
  • Double click on navilog1.exe to install it on your computer.
  • When the installation is complete, the tool will start automatically.
  • If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
  • Press E for English from the language Menu.
  • Type 1 in the next Menu to select Search and press Enter.
  • Wait for the Scan to finish (It may take a reasonable amount of time)
  • Press any key as requested .
  • A new document will be produced: fixnavi.txt.
  • Please copy/paste the contents of this report in your next reply.
The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)
----------------------------------------------
Post back:
DSS report.
Navilog1 report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: spyware problem

Unread postby helen.bicari » March 28th, 2008, 3:35 am

hello chryssi, i know that hijack this log is clean, cos i send it for analyze before i heard about MRU. i run antispyware and antiwirus manytimes and nothing was found. i actualy have feelings what software caused my problem, but when i installed it first, it was some online tv and i found it not interesting so uninstalled it. the thing is i wasnt receiving pop ups and warning about my computer until few days later. but im sure its this software, cos when i uninstalled it there was some questions asking, why did u decide to uninstall the tv and the same questions, just about not installing antispyware, poped up later when i didnt install antispyware. i am a bit worried about my online banking, but do u think i should call bank and change my passwords? i havent done it yet and everything is ok. anyway, i just have one question. when u said to close all applications and windows, does it mean even my antivirus and antispyware, running in background? i didnt shut them down, while running the dss scan, so hope i didnt make mistake. or tell me otherwise and i will do it again. here is the dss report.:

main.txt
Deckard's System Scanner v20071014.68
Run by HELENKA A MONDI on 2008-03-28 06:59:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2008-03-28 06:59:47 UTC - RP29 - Deckard's System Scanner Restore Point
28: 2008-03-27 16:51:35 UTC - RP28 - System Checkpoint
27: 2008-03-26 13:38:46 UTC - RP27 - System Checkpoint
26: 2008-03-25 09:58:45 UTC - RP26 - System Checkpoint
25: 2008-03-24 09:03:04 UTC - RP25 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-03-17 11:40:12 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HELENKA A MONDI.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:01:07, on 28/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\HELENKA A MONDI\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HELENKA A MONDI.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=E4064
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://autoreg.autoregister.net/cgi/cmactivation
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9476 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 KodakSvc (Kodak AiO Device Service) - "c:\program files\kodak\printer\center\kodaksvc.exe" <Not Verified; SDSD; KodakSvc>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-24 17:21:11 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\CyberLink
2008-03-24 09:11:42 0 d-------- C:\Program Files\Trend Micro
2008-03-24 09:03:18 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-24 09:03:06 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-24 09:03:06 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\SUPERAntiSpyware.com
2008-03-23 08:20:39 0 d-------- C:\Program Files\Lavasoft
2008-03-23 08:20:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 08:19:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 08:08:40 101888 --a------ C:\WINDOWS\system32\vb6stkit.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-03-23 08:08:40 0 d-------- C:\Program Files\RegistrySmart
2008-03-22 18:00:47 0 d-------- C:\WINDOWS\system32\kodak
2008-03-20 06:58:26 0 d-------- C:\WINDOWS\Sun
2008-03-20 06:58:25 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Sun
2008-03-19 19:06:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-19 18:47:42 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\AdobeUM
2008-03-19 18:01:36 0 d-------- C:\WINDOWS\network diagnostic
2008-03-17 21:13:25 0 d-------- C:\Program Files\MSXML 4.0
2008-03-17 17:48:18 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-03-17 17:48:13 0 d-------- C:\WINDOWS\creator
2008-03-17 17:48:08 0 d-------- C:\WINDOWS\SMINST
2008-03-17 17:47:46 0 dr------- C:\Program Files
2008-03-17 17:47:38 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-17 17:47:38 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-17 17:47:37 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2008-03-17 17:47:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-17 17:47:37 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-17 17:47:37 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-17 17:47:36 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-17 17:47:36 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-17 17:47:36 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-17 17:47:36 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-17 17:47:36 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-17 17:47:35 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-17 17:47:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-17 17:46:30 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-17 17:44:44 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-17 17:24:35 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-17 17:17:01 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-17 17:16:45 0 d-------- C:\Program Files\Windows Live
2008-03-17 17:16:29 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-17 17:16:16 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-17 16:57:59 3022880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 16:55:51 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-17 16:54:15 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-17 16:54:12 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-17 16:54:07 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-03-17 16:53:53 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-03-17 16:53:23 0 d-------- C:\WINDOWS\Internet Logs
2008-03-17 16:46:48 20592 --a------ C:\logfile
2008-03-17 16:36:51 0 d-------- C:\Program Files\Alwil Software
2008-03-17 16:24:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-17 16:19:40 0 d-------- C:\WINDOWS\ShellNew
2008-03-17 16:18:50 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Microsoft Web Folders
2008-03-17 15:53:05 0 d-------- C:\Documents and Settings\LocalService\Application Data\SDSD
2008-03-17 15:52:57 12288 --a------ C:\WINDOWS\system32\EKDeviceServices.dll <Not Verified; ; EKDevice Dynamic Link Library>
2008-03-17 15:52:08 0 d-------- C:\Program Files\QuickTime
2008-03-17 15:52:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-17 15:50:25 0 d-------- C:\Program Files\Common Files\Kodak
2008-03-17 15:48:46 0 d-------- C:\Program Files\Kodak
2008-03-17 15:47:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-17 15:00:58 0 d-------- C:\Program Files\Microsoft LifeCam
2008-03-17 14:56:55 0 d-------- C:\WINDOWS\system32\drivers\umdf
2008-03-17 14:48:09 0 d-------- C:\Program Files\uTorrent
2008-03-17 14:48:06 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\uTorrent
2008-03-17 14:42:17 0 d-------- C:\Program Files\Kontiki
2008-03-17 14:42:17 0 d-------- C:\Program Files\Channel4
2008-03-17 14:37:38 0 d-------- C:\Program Files\XP Codec Pack
2008-03-17 14:29:26 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-17 14:26:18 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-17 14:26:15 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-03-17 14:19:23 0 d-------- C:\Program Files\Webteh
2008-03-17 13:44:16 0 d--hs---- C:\Documents and Settings\HELENKA A MONDI\UserData
2008-03-17 13:17:26 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-17 13:17:13 0 d-------- C:\Program Files\Common Files\Real
2008-03-17 13:17:12 0 d-------- C:\Program Files\Real
2008-03-17 13:16:50 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Real
2008-03-17 13:16:06 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-17 12:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-17 12:32:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-03-17 12:30:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-17 12:30:22 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Mozilla
2008-03-17 12:24:25 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Contacts
2008-03-17 12:23:34 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-17 12:20:31 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Adobe
2008-03-17 12:16:35 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Macromedia
2008-03-17 12:15:15 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Google
2008-03-17 12:14:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-03-17 12:12:38 0 d-------- C:\Program Files\Common Files\Motive
2008-03-17 12:12:14 532594 --a------ C:\WINDOWS\system32\xerces-c_1_40_0_DDR.dll
2008-03-17 12:12:14 524377 --a------ C:\WINDOWS\system32\stlport_4_0_0_DDR.dll
2008-03-17 12:12:14 159744 --a------ C:\WINDOWS\system32\ssleay32_1-1-0_DDR.dll
2008-03-17 12:12:14 663552 --a------ C:\WINDOWS\system32\libeay32_1-1-0_DDR.dll
2008-03-17 12:12:14 307329 --a------ C:\WINDOWS\system32\BJBase_2-2-2_DDR.dll <Not Verified; BroadJump, Inc.; >
2008-03-17 12:12:12 0 d-------- C:\Program Files\BroadJump
2008-03-17 11:41:57 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\McAfee.com Personal Firewall
2008-03-17 11:41:06 0 d-------- C:\WINDOWS\system32\Lang
2008-03-17 11:40:27 0 d-------- C:\Documents and Settings\HELENKA A MONDI\WINDOWS
2008-03-17 11:40:27 0 d--h----- C:\Documents and Settings\HELENKA A MONDI\Templates
2008-03-17 11:40:27 0 dr------- C:\Documents and Settings\HELENKA A MONDI\Start Menu
2008-03-17 11:40:27 0 dr-h----- C:\Documents and Settings\HELENKA A MONDI\SendTo
2008-03-17 11:40:27 0 dr-h----- C:\Documents and Settings\HELENKA A MONDI\Recent
2008-03-17 11:40:27 0 d--h----- C:\Documents and Settings\HELENKA A MONDI\PrintHood
2008-03-17 11:40:27 2883584 --ah----- C:\Documents and Settings\HELENKA A MONDI\NTUSER.DAT
2008-03-17 11:40:27 0 d--h----- C:\Documents and Settings\HELENKA A MONDI\NetHood
2008-03-17 11:40:27 0 dr------- C:\Documents and Settings\HELENKA A MONDI\My Documents
2008-03-17 11:40:27 0 d--h----- C:\Documents and Settings\HELENKA A MONDI\Local Settings
2008-03-17 11:40:27 0 dr------- C:\Documents and Settings\HELENKA A MONDI\Favorites
2008-03-17 11:40:27 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Desktop
2008-03-17 11:40:27 0 d--hs---- C:\Documents and Settings\HELENKA A MONDI\Cookies
2008-03-17 11:40:27 0 dr-h----- C:\Documents and Settings\HELENKA A MONDI\Application Data
2008-03-17 11:40:27 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\SampleView
2008-03-17 11:40:27 0 d-------- C:\Documents and Settings\HELENKA A MONDI\Application Data\Identities
2008-03-17 11:39:57 0 d-------- C:\Documents and Settings\Default User\Application Data\SampleView
2008-03-17 11:35:08 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-17 11:14:01 0 d-------- C:\Program Files\McAfee
2008-03-17 11:14:01 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-17 11:13:54 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-03-17 11:13:23 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-03-17 11:12:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-03-17 11:12:35 741376 --a------ C:\WINDOWS\system32\BigFixSuppress.exe <Not Verified; New Boundary Technologies, Inc.; PrismXL Software Family>
2008-03-17 11:12:35 741376 --a------ C:\WINDOWS\system32\BigFixShortcutInStartup.exe <Not Verified; New Boundary Technologies, Inc.; PrismXL Software Family>
2008-03-17 11:12:33 67072 --a------ C:\WINDOWS\POWERCFG.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-17 11:11:38 0 d-------- C:\Program Files\Microsoft Works
2008-03-17 11:11:17 0 d-------- C:\Program Files\BigFix
2008-03-17 11:10:57 550912 --a------ C:\WINDOWS\zHotkey.exe <Not Verified; ; Multimedia Keyboard Driver>
2008-03-17 11:10:57 36864 --a------ C:\WINDOWS\ShowWnd.exe
2008-03-17 11:10:57 532544 --a------ C:\WINDOWS\PIC.dll
2008-03-17 11:10:57 4223 --a------ C:\WINDOWS\mHotkey.reg
2008-03-17 11:10:57 24576 --a------ C:\WINDOWS\HKNTDLL.dll
2008-03-17 11:10:57 11776 --a------ C:\WINDOWS\HIDMNT.dll
2008-03-17 11:10:33 4 --a------ C:\WINDOWS\Pix11.dat
2008-03-17 11:10:12 0 d-------- C:\Program Files\Microsoft Digital Image 2006
2008-03-17 11:09:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-17 11:09:30 40960 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-03-17 11:09:11 0 d-------- C:\WINDOWS\system32\RTCOM
2008-03-17 11:08:31 0 d-------- C:\Program Files\Realtek
2008-03-17 11:08:27 487424 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-03-17 11:08:18 520192 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-03-17 11:06:05 20480 --a------ C:\WINDOWS\system32\Marker32.exe <Not Verified; Gateway; Marker32>
2008-03-17 11:05:37 0 d-------- C:\Program Files\Java
2008-03-17 11:05:36 0 d-------- C:\Program Files\Common Files\Java
2008-03-17 11:03:08 94208 --a------ C:\WINDOWS\system32\bae.dll <Not Verified; Gateway Inc.; Browser Address Error Redirector>
2008-03-17 11:03:07 471300 --a------ C:\WINDOWS\wallpe.exe <Not Verified; ; wallpe>
2008-03-17 11:02:17 0 d-------- C:\Program Files\Digital Media Reader
2008-03-17 11:02:09 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-17 11:00:37 0 d-------- C:\Documents and Settings\Default User\WINDOWS
2008-03-17 11:00:35 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-17 11:00:33 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-03-17 11:00:24 0 d-------- C:\Program Files\Google
2008-03-17 10:57:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-17 10:57:57 0 d-------- C:\Program Files\CyberLink
2008-03-17 10:57:55 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-17 10:55:52 0 d-------- C:\Program Files\Common Files\New Boundary
2008-03-17 10:55:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Prism Deploy
2008-03-17 10:53:47 2 -r-hs---- C:\USER
2008-03-17 10:51:50 0 d-------- C:\Program Files\CONEXANT
2008-03-17 10:49:34 0 d--hs---- C:\System Volume Information
2008-03-06 15:29:44 962560 --a------ C:\WINDOWS\system32\VSFilter.dll <Not Verified; Gabest; VSFilter>


-- Find3M Report ---------------------------------------------------------------

2008-03-23 08:19:59 0 d-------- C:\Program Files\Common Files
2008-03-17 16:18:32 0 d-------- C:\Program Files\microsoft frontpage


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
17/03/2008 16:55 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [06/08/2005 04:56]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [17/03/2008 11:00]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [09/12/2005 18:44]
"RTHDCPL"="RTHDCPL.EXE" [04/04/2006 10:44 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 11:43 C:\WINDOWS\Alcmtr.exe]
"CHotkey"="zHotkey.exe" [08/12/2004 17:57 C:\WINDOWS\zHotkey.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [12/08/2005 16:16]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [27/01/2003 17:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [17/03/2008 13:17]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [17/05/2007 21:45]
"VX6000"="C:\WINDOWS\vVX6000.exe" [10/04/2007 21:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/2006 15:57]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/2007 13:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16:05]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [03/04/2007 08:54]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 19:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
"rdwbgbfp"="c:\documents and settings\helenka a mondi\local settings\application data\rdwbgbfp.exe" [20/03/2008 07:05]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 23:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/02/2008 16:03]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [17/03/2008 11:11:17]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [20/02/2007 05:10:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 20:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-03-28 07:02:25 ------------


extra.exe
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.66GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.66GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 893.59 MiB / 407.66 MiB
Pagefile Memory (total/avail): 2165.2 MiB / 1620.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.36 MiB

C: is Fixed (NTFS) - 181.74 GiB total, 168.01 GiB free.
D: is Fixed (FAT32) - 4.55 GiB total, 1.62 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2000BB-22RDA0 - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 181.74 GiB - C:
\PARTITION1 - Unknown - 4.56 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)
AV: avast! antivirus 4.7.1098 [VPS 080327-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HELENKA A MONDI\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-6B990CDCBB
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HELENKA A MONDI
LOGONSERVER=\\YOUR-6B990CDCBB
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HELENK~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HELENK~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=YOUR-6B990CDCBB
USERNAME=HELENKA A MONDI
USERPROFILE=C:\Documents and Settings\HELENKA A MONDI
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HELENKA A MONDI (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
aiofw --> MsiExec.exe /I{791E3D44-33D3-4446-82AD-5CD4B0169083}
aioocr --> MsiExec.exe /I{3BED0238-3A25-41AE-BC23-316914B5B048}
aioprnt --> MsiExec.exe /I{2A97D5B3-A989-47E1-B207-1CA9E3635655}
aioscnnr --> MsiExec.exe /I{C0251585-1BE8-4278-B3CB-964B6E01C59D}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll"
BSPlayer --> "C:\Program Files\Webteh\BSplayer\uninstall.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
center --> MsiExec.exe /I{79E41D91-BA1C-44B9-9358-48E598263ECF}
Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Help_CTR --> MsiExec.exe /I{0996C331-6DCB-4E38-A3EC-0A77ABAE1361}
helptut --> MsiExec.exe /I{843081BD-351F-46FC-8A17-517A0D9117A3}
helpug --> MsiExec.exe /I{DC626A21-EDF1-40C7-8F2F-D2BA7535529F}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
KODAK EASYSHARE 5000 Series All-in-One Software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_190001_2d6ae4\Setup.exe /APR-REMOVE
ksdip --> MsiExec.exe /I{73F1681F-ADE1-461F-9F18-B7640507D395}
Microsoft Digital Image 2006 Starter Edition --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft LifeCam --> MsiExec.exe /X{63AFACBC-4795-4A1B-8037-5085DC03FC54}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067 --> "C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB915381 --> "C:\WINDOWS\$NtUninstallKB915381$\spuninst\spuninst.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type715 / Success
Event Submitted/Written: 03/28/2008 06:51:22 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type698 / Success
Event Submitted/Written: 03/27/2008 03:52:58 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type685 / Error
Event Submitted/Written: 03/27/2008 06:49:42 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msnmsgr.exe, version 8.5.1302.1018, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type684 / Error
Event Submitted/Written: 03/27/2008 06:49:39 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msnmsgr.exe, version 8.5.1302.1018, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type676 / Success
Event Submitted/Written: 03/27/2008 06:48:00 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1448 / Warning
Event Submitted/Written: 03/27/2008 00:10:36 PM
Event ID/Source: 10 / W32Time
Event Description:
The time provider 'NtpClient' returned an error when asked for time samples.
The error will be ignored. The error was: The handle is invalid. (0x80070006)

Event Record #/Type1447 / Warning
Event Submitted/Written: 03/27/2008 11:53:32 AM
Event ID/Source: 10 / W32Time
Event Description:
The time provider 'NtpClient' returned an error when asked for time samples.
The error will be ignored. The error was: The handle is invalid. (0x80070006)

Event Record #/Type1446 / Warning
Event Submitted/Written: 03/27/2008 11:36:28 AM
Event ID/Source: 10 / W32Time
Event Description:
The time provider 'NtpClient' returned an error when asked for time samples.
The error will be ignored. The error was: The handle is invalid. (0x80070006)

Event Record #/Type1445 / Warning
Event Submitted/Written: 03/27/2008 11:19:24 AM
Event ID/Source: 10 / W32Time
Event Description:
The time provider 'NtpClient' returned an error when asked for time samples.
The error will be ignored. The error was: The handle is invalid. (0x80070006)

Event Record #/Type1444 / Warning
Event Submitted/Written: 03/27/2008 11:02:20 AM
Event ID/Source: 10 / W32Time
Event Description:
The time provider 'NtpClient' returned an error when asked for time samples.
The error will be ignored. The error was: The handle is invalid. (0x80070006)



-- End of Deckard's System Scanner: finished at 2008-03-28 07:02:25 ------------


fixnavi.txt
Search Navipromo version 3.5.1 began on 28/03/2008 at 7:15:51.67

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Actual User Account : "HELENKA A MONDI"

Updated on 23.03.2008 at 22h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 7.0.5730.13
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***



*** Search folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***




*** Search folders in "C:\Documents and Settings\HELENKA A MONDI\applic~1" ***



*** Search folders in "C:\Documents and Settings\HELENKA A MONDI\locals~1\applic~1" ***



*** Search folders in "C:\Documents and Settings\HELENKA A MONDI\startm~1\programs" ***


*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

Hidden file(s) :

C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp.dat
C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp.exe
C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp_nav.dat
C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp_navps.dat



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in "C:\Documents and Settings\HELENKA A MONDI\locals~1\applic~1" *

Suspicious Files :

rdwbgbfp.exe found !

* Scan in "C:\docume~1\Administrator\locals~1\applic~1" *



*** Search files ***




*** Search specific Registry keys ***

HKEY_CURRENT_USER\Software\Lanconfig found !

*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In C:\WINDOWS\system32 :


* In "C:\Documents and Settings\HELENKA A MONDI\locals~1\applic~1" :

rdwbgbfp.dat found !

* In ""C:\docume~1\Administrator\locals~1\applic~1"" :


3)Certificates Search :

Egroup certificate found !
Electronic-Group certificate found !
OOO-Favorit certificate found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :



*** Search completed on 28/03/2008 at 7:19:27.49 **

thanks a lot for helping
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am

Re: spyware problem

Unread postby chryssi2001 » March 28th, 2008, 1:23 pm

Hello helen,

DSS report was fine. :)

Probably it was that software. It's not necessary to change your passwords. But for extra protection you can change them after we clean the pc as it's infected. Better stay away from online banking if possible untill i give you the all clean. After that, change your passwords and continue as before.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
You are using AVAST Anti-Virus.

But i see McAfee & McAfee.com firewall installed on your pc.
Did you use them in the past and they did expire?
Let me know so we can remove them. They are of no use.
----------------------------------------------
  • Double click on Navilog1 shortcut icon on your desktop to run it.
  • Press E for English from the language Menu.
  • Type 2 in the next Menu and press Enter.
  • The tool will then advise you that it will restart your computer.
  • Close all open windows and save personnal documents, if open, too.
  • If your computer doesn't restart automatically, restart it manually.
  • Choose your usual session.
  • Wait for the *** Cleaning stage complete! *** message (It may take a reasonable amount of time)
  • A new document will be produced.
  • Please copy/paste the contents of this report in your next reply.
  • Your desktop will now appear.
Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)
----------------------------------------------
Post back:
Navilog report.
A new Hijackthis log.
Answer about McAfee so we can uninstall it.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: spyware problem

Unread postby helen.bicari » March 28th, 2008, 2:47 pm

hi, well if its ok, i will keep utorent, but not use it now. i also never used avg firewall or antivirus. it comes automaticly with computer, but i dont like it and i uninstalled it. so we can delete it, as i use alarm zone. can i just ask u what is the problem with my computer? the rdwbgbfp was always trying to acces my computer but zone alarm alerted me and i denied it, as i dont know what is it. dss scan was clean but navilog said my computer is infected? sorry, im just curious. also i didnt understand this: Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

this is the navilog:

Navipromo Removal version 3.5.1 started on 28/03/2008 at 18:06:08.45

Fix running from C:\Program Files\navilog1
Session actuelle : "HELENKA A MONDI"
Actual User Account : "HELENKA A MONDI"

Updated on 23.03.2008 at 22h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Internet Explorer : 7.0.5730.13
Filesystem type : NTFS

Automatic removal
with Catchme and GNS results


*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

Copy C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp.dat done !
Copy C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp.exe done !
Copy C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp_nav.dat done !
Copy C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp_navps.dat done !

*** Deleting files found with Catchme ***

C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp.dat deleted !
C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp.exe deleted !
C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp_nav.dat deleted !
C:\Documents and Settings\HELENKA A MONDI\Local Settings\Application Data\rdwbgbfp_navps.dat deleted !

** Second pass with Catchme results **

* In C:\WINDOWS\system32 *


C:\WINDOWS\prefetch\rdwbgbfp*.pf found !
Copy C:\WINDOWS\prefetch\rdwbgbfp*.pf done !
C:\WINDOWS\prefetch\rdwbgbfp*.pf deleted !

* In "C:\Documents and Settings\HELENKA A MONDI\locals~1\applic~1" *


*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *


* Deletion in "C:\Documents and Settings\HELENKA A MONDI\locals~1\applic~1" *


* Deletion in "C:\docume~1\Administrator\locals~1\applic~1" *



*** Deleting folders in C:\WINDOWS ***


*** Deleting folders in C:\Program Files ***


*** Deleting folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***


*** Deleting folders in "C:\Documents and Settings\HELENKA A MONDI\applic~1" ***


*** Deleting folders in "C:\Documents and Settings\HELENKA A MONDI\locals~1\applic~1" ***


*** Deleting folders in "C:\Documents and Settings\HELENKA A MONDI\startm~1\programs" ***


*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs ***



*** Deleting files ***


*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !
Cleaning of C:\Documents and Settings\HELENKA A MONDI\locals~1\Temp done !

*** Complementary Search ***
(Search specific files)

1)Deletion with backups new Instant Access files:

2)Heuristic search and deletion with backups :


* In C:\WINDOWS\system32 *


* In "C:\Documents and Settings\HELENKA A MONDI\locals~1\applic~1" *


* In "C:\docume~1\Administrator\locals~1\applic~1" *


*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Registry cleaned


*** Certificates ***

Egroup Certificate deleted !
Electronic-Group Certificate deleted !
OOO-Favorit Certificate deleted !
Sunny-Day-Design-Ltd Certificate not found !

*** Cleaning stage complete on 28/03/2008 at 18:13:11.34 ***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:52, on 28/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=E4064
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://autoreg.autoregister.net/cgi/cmactivation
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9388 bytes
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am

Re: spyware problem

Unread postby chryssi2001 » March 28th, 2008, 3:45 pm

Hello helen :),

You misunderstood. I meant DSS report was fine because when you run the tool you had other applications open.
DSS report showed the infection too, and not only Navilog.

This Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task. is included always in Navilog speech so if a user lose his/her desktop he will follow the instructions to regain his desktop.
I did not see this happen yet.

Navilog didn't create problem running on your pc so you didn't need that.
----------------------------------------------
i also never used avg firewall or antivirus. it comes automaticly with computer, but i dont like it and i uninstalled it. so we can delete it


It's not AVG but McAfee, so we'll remove the remainants.
----------------------------------------------
Now Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

    ZoneAlarmSB
    McAfee << If still there

----------------------------------------------
In case McAfee is still in your Add/Remove Programs run the removal tool as explained below.

Uninstall McAfee

Note : You should first attempt to remove your McAfee consumer products using Add/Remove Programs in the Windows Control Panel (Programs and Features, in Windows Vista). This is the best method. After uninstalling using Windows Add/Remove Programs, run the McAfee Consumer Removal Tool (MCPR.EXE) to ensure successful removal of all McAfee references.

Download the removal tool from HERE
  • Click Save and save the file to any folder on your computer.
  • Navigate to the folder where the file is saved.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.EXE to run the removal tool.
    • Note: Windows Vista users must right-click MCPR.EXE and select Run as Administrator.
  • Restart your computer after receiving the message CleanUp Successful.
----------------------------------------------
Please download the OTMoveIt2 by OldTimer and Save it to your Desktop.

Don't run it yet.
----------------------------------------------
Disable SUPERAntiSpyware until the computer is clean
  • Right-click on the shortcut from the system tray
  • Choose View Control Center (preferences/options)
  • On the General and Startup tab, uncheck Start SUPERAntispyware when Windows starts.
  • Click Close to exit.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
OTMoveIt2
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\Program Files\ZoneAlarmSB 
    C:\Documents and Settings\HELENKA A MONDI\Application Data\McAfee.com
    C:\Program Files\McAfee
    C:\Documents and Settings\All Users\Application Data\McAfee
    

  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
----------------------------------------------
Post back:
A new Hijackthis log.
OTMoveIt2 report.
Tell me if you still have pop-ups or being re-directed to other sites.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: spyware problem

Unread postby helen.bicari » March 28th, 2008, 4:27 pm

hi, just wanna tell u mcAfee(not avg,sorry about the mistake before) is not in add/remove program. i uninstalled it before and have no idea, its still in my computer. so shall i just download the removal toal and get rid of it hopefuly for good?
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am

Re: spyware problem

Unread postby chryssi2001 » March 29th, 2008, 2:50 am

Hello helen,

Yes i realised that as i can't see any sign of AVG in your reports.
Please skip the part about uninstalling McAfee.
Do the rest including the OTMoveIt2 instructions which are meant to remove McAfee Folders from your pc.
You see after removing a program, the program folder is still there.

Post back the reports i asked and let me know if you still have problems,
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: spyware problem

Unread postby helen.bicari » March 29th, 2008, 3:52 am

hi chryssi,
here is the OTMoveIt2 report:
C:\Program Files\ZoneAlarmSB\bar\Settings moved successfully.
C:\Program Files\ZoneAlarmSB\bar\History moved successfully.
C:\Program Files\ZoneAlarmSB\bar\Cache moved successfully.
C:\Program Files\ZoneAlarmSB\bar\1.bin moved successfully.
C:\Program Files\ZoneAlarmSB\bar moved successfully.
C:\Program Files\ZoneAlarmSB moved successfully.
File/Folder C:\Documents and Settings\HELENKA A MONDI\Application Data\McAfee.com not found.
File/Folder C:\Program Files\McAfee not found.
File/Folder C:\Documents and Settings\All Users\Application Data\McAfee not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03292008_073917


and new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:44:39, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=E4064
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://autoreg.autoregister.net/cgi/cmactivation
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8628 bytes

ok. i dont know but sofar no pop ups, but let u know later, if its ok. just wanna ask, shall i delete or uninstall dss and navilog and all softwares i installed during this time? also can u tell me, what was wrong with my computer? spyware, malware or virus? i would like to know to be aware next time. i also would like to thank you very much for your help, i found your instructions very easy to understand eventhough i dont know much about computers, i was able to do, what you asked me to do. i was thinking to become one of you too, because its amazing how u help people, desperate people, but i have 17 months old daughter and have to pay her a lot of attention, so maybe when she is older. so thanks again and i let u know about pop ups
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am

Re: spyware problem

Unread postby helen.bicari » March 29th, 2008, 3:54 am

one more question. was there problem with zone alarm? i saw it in ther reports u asked me to fix. is it any good? i have 3 antispyware on my computer, avast antivirus and zone alarm. i thought my computer is well protected. shall i increase protection? thanks
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am

Re: spyware problem

Unread postby chryssi2001 » March 29th, 2008, 4:29 am

Hello helen :) ,

ok. i dont know but sofar no pop ups, but let u know later, if its ok

Please do so. ;)

just wanna ask, shall i delete or uninstall dss and navilog and all softwares i installed during this time?

We'll remove them after we finish.

also can u tell me, what was wrong with my computer? spyware, malware or virus? i would like to know to be aware next time.

You had a nasty :evil: Navipromo infection. It's nasty because it's a type of rootkit which is hidden and hard to diagnose.

I suspect you got it because you are using a P2P program. You see even if the P2P programs are clean, the way they work, brings infections on your pc.
So i would again advice you to re-consider about using P2P programs.

i also would like to thank you very much for your help, i found your instructions very easy to understand eventhough i dont know much about computers, i was able to do, what you asked me to do.

You are welcome. :)

i was thinking to become one of you too, because its amazing how u help people, desperate people, but i have 17 months old daughter and have to pay her a lot of attention, so maybe when she is older

helen, we all have our real live too, but we find some free time to help people get rid of malware. You can do it anytime you want, even now.
Each person who signs in the University can read and learn at his/her own pace.
There is no rush for anything.

Have some read Here

one more question. was there problem with zone alarm? i saw it in ther reports u asked me to fix. is it any good? i have 3 antispyware on my computer, avast antivirus and zone alarm. i thought my computer is well protected. shall i increase protection?

No Zone alarm it's self is ok. We just remove ZoneAlarm Spy Blocker as it creates problems. It uses Ask.com Search Engine. Read information here if you want too.

When we finish i will give you advice for some protection programs you can use.

Wow, i've talked a lot :lol: :lol: .
-------------------------------------------------
Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 5.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 5 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u4-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
-------------------------------------------------
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 8.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
-------------------------------------------------
Now let's run some scans, to be sure there is nothing bad anymore on your pc.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
-------------------------------------------------
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
-------------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
Kaspersky report.
A new HijackThis log.
Any pop-ups re-directions?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: spyware problem

Unread postby helen.bicari » March 29th, 2008, 10:42 am

hi, i tried to uninstall java, but i cant. when i go to ad or remove program, there has been some changes, i dont know how to explain, but looks diferent and most of the softwares including java cant uninstall. when i click on it just says used rarely. thats all. also when i download new version of java, there has not been "jre-6u4-windows-i586-p.exe but "jre-6u5-windows-i586-p.exe. so i went for it, hope its ok
helen.bicari
Regular Member
 
Posts: 47
Joined: March 24th, 2008, 5:24 am

Re: spyware problem

Unread postby chryssi2001 » March 29th, 2008, 12:14 pm

Hi helen,

"jre-6u4-windows-i586-p.exe but "jre-6u5-windows-i586-p.exe. so i went for it, hope its ok


Yes that's fine. The jre-6u4-windows-i586-p.exe was my mistake, i fixed my Java speech now, thanks for telling me so.

Did you install the new version of Java or is the installation icon still on your desktop?
Please double click on the icon to install it.
Then use this method to find the old version and remove it.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following file: if found, delete the following (some may not be present after previous steps):

C:\Program Files\Java\jre1.5.0_02

Let me know how it goes. ;)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 91 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware